Process Encrypted Data
Using Encryption as a Service allows you to keep sensitive data encrypted at all times: at rest, in transit and in use. Although this is a powerful security enhancement, there will be situations where you’ll need decrypted data in order to perform validation checks, run calculations, or do some other processing.
Evervault Functions lets you process sensitive plaintext data in a secure environment by using serverless functions that are hosted on Evervault’s infrastructure and written in Node.js or Python.
Any encrypted data that is passed to a Function is decrypted by the Function’s runtime. This allows you to perform logic on that data as you normally would — without handling it in plaintext on your infrastructure.
Deploy the Function
The easiest way to deploy a Function is via the Evervault Dashboard. Navigate to the Functions tab, click Create Function, Authenticate with GitHub, then deploy the Starter Template in either Node.js or Python. Depending on which language you choose, the following code will be deployed:
Although we’re using a Function Template here, you can deploy any Node.js or Python code to a Function as long as it assumes the same function handler syntax. You’ll notice that the Function runtime passes two arguments to the handler method: data
and context
. The data
argument includes (previously encrypted) data that is decrypted by the Function runtime. The context
argument exposes an encrypt
method which can be used to encrypt data within the body of a Function.
This Starter Template code expects an encrypted name
value, which is decrypted by the Function runtime, before its characters are counted and returned.
Run the Function
Functions can be invoked using our Server-Side SDKs, our CLI or by sending an HTTPS request. To invoke a Function, you’ll need the Function Name, which can be found in the Evervault Dashboard, along with an encrypted payload. Try any of the examples below to run the Function we just created in a language of your choice:
If you run the Function, the encrypted value for name is decrypted by the Function runtime, allowing the character counting logic to be performed on the plaintext value.
If the Function ran successfully, the following response will be returned. Any payload returned from a Function will be contained within the result
key. The response will also include a runId
, a unique identifier for this Function’s invocation. Lastly, the appUuid
in the response includes the identifier for the Evervault App that this Function belongs to.
Summary
Functions are a useful Primitive for processing data that was previously encrypted by Evervault. To learn more about the capabilities and specifications of Functions, check out the Functions Primitive or the Server-Side SDK Reference documentation for your language of choice.